12 releases (breaking)
0.10.1 | Jul 1, 2024 |
---|---|
0.9.0 | Apr 3, 2024 |
0.8.0 | Feb 5, 2024 |
0.7.0 | Dec 12, 2023 |
0.1.0 | Dec 1, 2022 |
#445 in Cryptography
3,704 downloads per month
Used in 5 crates
1MB
29K
SLoC
decaf377
Many zero-knowledge protocols require a cryptographic group that can be used inside of an arithmetic circuit. This is accomplished by defining an “embedded” elliptic curve whose base field is the scalar field of the proving curve used by the proof system.
The Zexe paper, which defined BLS12-377, also defined (but did not name) a cofactor-4 Edwards curve defined over the BLS12-377 scalar field for exactly this purpose. However, non-prime-order groups are a leaky abstraction, forcing all downstream constructions to pay attention to correct handling of the cofactor. Although it is usually possible to do so safely, it requires additional care, and as discussed below, the optimal technique for handling the cofactor is different inside and outside of a circuit.
Instead, applying the Decaf construction to this curve gives decaf377, a clean abstraction that provides a prime-order group, complete with hash-to-group functionality, and works the same way inside and outside of a circuit.
More details are available on the Penumbra website.
Features
std
: default, for use instd
environments,alloc
: default, for use inalloc
environments,arkworks
: default, uses Arkworks crates for elliptic curve operations,u32_backend
: uses 32-bit finite field arithmetic (default is 64-bit),r1cs
: enables rank-1 constraint system gadgets,parallel
: enables the use of parallelism.
Benchmarks
Run criterion
benchmarks using:
cargo bench
This will generate a report at target/criterion/report/index.html
.
Dependencies
~0.1–1.8MB
~32K SLoC